Google's $3 million Pwnium 3 challenge focuses on Chrome OS

Trent Nouveau, 29th January 2013

Although Google has made security one of the core tenets of Chrome, it freely admits that that no software is perfect, as security bugs have been known to "slip" through even the most thorough review process.

According to Google's Chris Evans, that is why Mountain View continues to work with security researchers to help find and fix vulnerabilities.

Indeed, HP’s Zero Day Initiative (ZDI) recently announced details for its annual Pwn2Own competition to be held at the CanSecWest security conference taking place March 6-8 in Vancouver, BC.

"This year we’ve teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets," Evans confirmed in a blog post.

"The new rules are designed to enable a contest that significantly improves Internet security for everyone. At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards."

As such, said Evans, Google is announcing its third Pwnium competition for CanSecWest, aptly dubbed Pwnium 3, which is apparently focused on the software giant's rapidly evolving Chrome OS. And yes, there will be plenty of cash handed out - up to $3.14159 million USD - for those who find the listed vulnerabilities.

"The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS," Evans explained.

"Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack. For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine."

In addition, Standard Pwnium rules will apply, namely the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used.

"Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits," Evans added.

As noted above, Pwnium 3 will take place on-site at the CanSecWest conference on March 7.